LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 01-05-2006, 09:12 PM   #1
Ardor
LQ Newbie
 
Registered: Sep 2005
Distribution: RedHat 9.0
Posts: 8

Rep: Reputation: 0
Windows beats Linux / Unix on vulnerabilities - CERT


Quote:
Windows beats Linux / Unix on vulnerabilities - CERT
Good news and bad news
By Gavin Clarke in San Francisco
Published Thursday 5th January 2006 09:41 GMT

It might not feel like it, but Windows suffered less security vulnerabilities than Linux and Unix during 2005.

Linux and Unix experienced more than three times as many reported security vulnerabilities than Windows, according to the mighty US Computer Emergency Readiness Team (CERT) annual year-end security index.
Click Here

Windows experienced 812 reported operating system vulnerabilities for the period between January and December 2005, compared to 2,328 for Linux and Unix.

CERT found more than 500 multiple vendor vulnerabilities in Linux and Unix spanning old favorites such as denial of service and buffer overflows, while CERT recorded 88 Windows-specific holes and 44 in Internet Explorer (IE). For a complete list of vulnerabilities, you can visit the CERT site here.

The annual poll does not include the Windows MetaFile (WMF) vulnerability, which has become the most widely reported attack on Windows according to security and antivirus specialist McAfee since being reported on December 28.

News of Windows' relative security will prove little comfort to millions of computer users now bracing for the latest attack of the Sober worm variant due this week.

CERT's data underlines the scale of the challenge faced by Microsoft on security, four years into the company's highly publicized Trusted Computing initiative.

Despite posting fewer vulnerabilities than its Unix and Linux challengers and Microsoft going out its way to talk up its "progress" in security in 2005, it is attacks on Windows that still cause more concern and generate most headlines.

The reason is that, unlike Linux, Windows has greater potential to cause harm because of its presence on desktops in the hands of users who receive self-propagating worms, click on email attachments and download malicious code. And while it seems just as each hole is fixed, a new vulnerability is unlocked elsewhere in the vast Windows code base.
http://www.theregister.co.uk/2006/01...lnerabilities/

Any thoughts?
 
Old 01-05-2006, 10:06 PM   #2
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Key word is "reported". It's a well know fact most windows vulnerabilities are never reported publicly. And even when they are reported it's usually only after a fix is available, in some cases leaving customers unwittingly vulnerable for months between discovery and the fix's release. All CERT's study truly reveals is that ignorance is still bliss.
 
Old 01-05-2006, 10:06 PM   #3
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
I would question if all 2,238 vulnerabilities applied to each distro. For instance, did gentoo suffer from all of those, or was that a collective number from each distro. Another question is, Were those 2000 vulnerabilities 'Kernel vulnerabilities' or software packages. you can't blame linux if your vixie-cron daemon had a vulnerability unless you count windows programs that were installed after the operating system.
 
Old 01-05-2006, 10:24 PM   #4
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
As proof, here's an old incident of a serious vulnerability that MS kept quiet about for months and only disclosed publicly because word leaked out about it:

"Another ASN.1 flaw that affected many more companies and involved more research was made public in only five months. Although the decision to disclose information on the flaw was made after such information had already leaked out, many companies had fixes in place or quickly made them available."

FROM: http://news.zdnet.com/2100-1009_22-5158625.html

Linux's open nature encourages full disclosure of vulnerabilties and that's a positive in my book. MS' customers are treated like mushrooms: kept in the dark and fed boolshiat like CERT's.
 
Old 01-05-2006, 11:46 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also that report is comparing windows against Linux/Unix which includes (if you look at the vulns) Mac OSX, FreeBSD, OpenBSD, HP-UX, AIX, Solaris, SCO Unixware, and several Linux distros. There also appears to be multiple entries counted for the same vuln in different Linux vendors. So I think you need to be careful about what kind of conclusions you try to draw from that report.
 
Old 01-06-2006, 01:34 AM   #6
fancypiper
Guru
 
Registered: Feb 2003
Location: Sparta, NC USA
Distribution: Ubuntu 10.04
Posts: 5,141

Rep: Reputation: 57
Most if not all of these articles count Linux vuls by adding up all vuls of all distros which inflates the Linux numbers greatly.

Check out the servers and see which has more cracks, but don't count each Linux distro as a separate exploit. Netcraft is a good place to start your own research.

Also, check to see who sponsored the study. If it is sponsored by MSFT, they are well known for this type of FUD.

This report will repeat next year as I have seen it every year since I installed my first Linux distro in 1999.

How about viruses and worms?
# Basic Linux security and virus info
The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box?
Unusual network activity? chkrootkit is a tool to locally check for signs of a rootkit
Linux Questions Security references
Security Help Files
Linux Administrator's Security Guide
Security Focus
Linux Security
Firewalls and Security

Last edited by fancypiper; 01-06-2006 at 01:39 AM.
 
Old 01-06-2006, 07:50 AM   #7
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
You'll also note that lots of the cert "unix/linux" vunerabilities are in software that few people use and that isn't grouped with any distributions by default. For example, there is an imap server availible through apt that is still in testing and isn't thought to be secure, and cert has like 100 vunerabilities from that program listed.
 
Old 01-06-2006, 11:10 AM   #8
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
mmmmhh compare the colors

http://www.frsirt.com/english/vendor/2161
http://www.frsirt.com/english/vendor/1948


I may be blind but there is one a bit more red
lol
 
Old 01-06-2006, 04:11 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by fancypiper
Also, check to see who sponsored the study. If it is sponsored by MSFT, they are well known for this type of FUD.
I don't believe it was sponsored by anyone, especially not by Microsoft. In fact, most vuln reporting mailing lists group their bug reports exactly in this format (windows as one category and unix/linux lumped together as another). So I don't think there is any intentional deceit on the part of CERT. It's just the people reporting on this and using it as evidence that Linux/Unix is somehow less secure are morons.
 
Old 01-06-2006, 04:27 PM   #10
fancypiper
Guru
 
Registered: Feb 2003
Location: Sparta, NC USA
Distribution: Ubuntu 10.04
Posts: 5,141

Rep: Reputation: 57
I don't recall CERT doing anything except listing vuls, but:

Who is paying the reporter?

I know I have seen the same thing reported every year since I discovered Linux, not all using CERT as their source, but several reports I have seen were based on studies financed by MSFT, some of which were very difficult to "follow the money".

I think I probably stated my response poorly after re-reading it.

Prednisone and morphine (which I have to take) aren't great memory boosters.
 
Old 01-06-2006, 04:55 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally Posted by fancypiper
Who is paying the reporter? I know I have seen the same thing reported every year since I discovered Linux, not all using CERT as their source, but several reports I have seen were based on studies financed by MSFT, some of which were very difficult to "follow the money". I think I probably stated my response poorly after re-reading it.
Ahh, I see what you were getting at now...and I have seen the Reg posting troll articles recently.
 
Old 01-06-2006, 10:48 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I'm going to close this thread as we have an identical one in the General forum. Feel free to post comment there:
http://www.linuxquestions.org/questi...d.php?t=399623


//Thread Closed
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MontaVista beats real-time Linux deadline rvijay Linux - News 4 11-05-2005 11:15 AM
Unix Cert eNightmare Linux - Certification 6 08-26-2005 04:52 PM
where windows beats linux guy24x Linux - General 3 06-25-2005 04:37 PM
Report: Linux Vulnerabilities More Numerous And Severe Than Windows Omran Linux - News 20 04-28-2005 04:09 PM
Linux Vulnerabilities More Numerous And Severe Than Windows Omran Linux - Security 2 04-04-2005 05:08 AM


All times are GMT -5. The time now is 02:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration